diff --git a/0001-pam-align-second-and-third-columns.patch b/0001-pam-align-second-and-third-columns.patch
new file mode 100644
index 0000000000000000000000000000000000000000..8ab341b8e153ca5763bfd43a4bd028f11c41bef0
--- /dev/null
+++ b/0001-pam-align-second-and-third-columns.patch
@@ -0,0 +1,48 @@
+From 9efb224443d819b7d64ec76cb94c8aa625a8abf2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 23 Nov 2022 16:05:48 +0100
+Subject: [PATCH 1/2] pam: align second and third columns
+
+In our template file, we have jinja2 template markers, so the file
+looks fairly messy. But once it's rendered, it looks pretty clean, except
+that the columns are unaligned becuase of "-" in some lines in the first
+column. Let's make them aligned.
+---
+ src/login/systemd-user.in | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/src/login/systemd-user.in b/src/login/systemd-user.in
+index 39bcbd71fe..d5597d28cb 100644
+--- a/src/login/systemd-user.in
++++ b/src/login/systemd-user.in
+@@ -4,18 +4,18 @@
+ # Used by systemd --user instances.
+ 
+ {% if ENABLE_HOMED %}
+--account sufficient pam_systemd_home.so
++-account  sufficient pam_systemd_home.so
+ {% endif %}
+-account sufficient pam_unix.so no_pass_expiry
+-account required pam_permit.so
++account  sufficient pam_unix.so no_pass_expiry
++account  required pam_permit.so
+ 
+ {% if HAVE_SELINUX %}
+-session required pam_selinux.so close
+-session required pam_selinux.so nottys open
++session  required pam_selinux.so close
++session  required pam_selinux.so nottys open
+ {% endif %}
+-session required pam_loginuid.so
+-session optional pam_keyinit.so force revoke
++session  required pam_loginuid.so
++session  optional pam_keyinit.so force revoke
+ {% if ENABLE_HOMED %}
+--session optional pam_systemd_home.so
++-session  optional pam_systemd_home.so
+ {% endif %}
+-session optional pam_systemd.so
++session  optional pam_systemd.so
+-- 
+2.38.1
+
diff --git a/0002-pam-add-a-call-to-pam_namespace.patch b/0002-pam-add-a-call-to-pam_namespace.patch
new file mode 100644
index 0000000000000000000000000000000000000000..51564d99d3be4d1ece50bf8997d22d5b26655815
--- /dev/null
+++ b/0002-pam-add-a-call-to-pam_namespace.patch
@@ -0,0 +1,41 @@
+From 0ef48896d9f23b9fd547a532a4e6e6b8f8b12901 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 23 Nov 2022 16:09:56 +0100
+Subject: [PATCH 2/2] pam: add a call to pam_namespace
+
+A call to pam_namespace is required so that children of user@.service end up in
+a namespace as expected. pam_namespace gets called as part of the stack that
+creates a session (login, sshd, gdm, etc.) and those processes end up in a
+namespace, but it also needs to be called from our stack which is parallel and
+descends from pid1 itself.
+
+The call to pam_namespace is similar to the call to pam_keyinit that was added
+in ab79099d1684457d040ee7c28b2012e8c1ea9a4f. The pam stack for user@.service
+creates a new session which is disconnected from the parent environment. Both
+calls are not suitable for inclusion in the shared part of the stack (e.g.
+@system-auth on Fedora/RHEL systems), because for example su/sudo/runuser
+should not include them.
+
+Fixes #17043 (Allow to execute user service into dedicated namespace
+              if pam_namespace enabled)
+Related to https://bugzilla.redhat.com/show_bug.cgi?id=1861836
+(Polyinstantiation is ignored/bypassed in GNOME sessions)
+---
+ src/login/systemd-user.in | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/login/systemd-user.in b/src/login/systemd-user.in
+index d5597d28cb..06f7e36458 100644
+--- a/src/login/systemd-user.in
++++ b/src/login/systemd-user.in
+@@ -15,6 +15,7 @@ session  required pam_selinux.so nottys open
+ {% endif %}
+ session  required pam_loginuid.so
+ session  optional pam_keyinit.so force revoke
++session  required pam_namespace.so
+ {% if ENABLE_HOMED %}
+ -session  optional pam_systemd_home.so
+ {% endif %}
+-- 
+2.38.1
+
diff --git a/0003-pam-actually-align-the-columns.patch b/0003-pam-actually-align-the-columns.patch
new file mode 100644
index 0000000000000000000000000000000000000000..da4fcf2d5149b87a71a80045dedb5c17964bbdcd
--- /dev/null
+++ b/0003-pam-actually-align-the-columns.patch
@@ -0,0 +1,47 @@
+From 369dfbf43a0064b70a774ccdd3dd1c1a09fd95ca Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 14 Dec 2022 22:23:31 +0100
+Subject: [PATCH 3/4] pam: actually align the columns
+
+In 9efb224443d819b7d64ec76cb94c8aa625a8abf2 was supposed to align
+them, but for some reason I just added a second space everywhere.
+---
+ src/login/systemd-user.in | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/src/login/systemd-user.in b/src/login/systemd-user.in
+index 06f7e36458..9a665bd959 100644
+--- a/src/login/systemd-user.in
++++ b/src/login/systemd-user.in
+@@ -4,19 +4,19 @@
+ # Used by systemd --user instances.
+ 
+ {% if ENABLE_HOMED %}
+--account  sufficient pam_systemd_home.so
++-account sufficient pam_systemd_home.so
+ {% endif %}
+ account  sufficient pam_unix.so no_pass_expiry
+-account  required pam_permit.so
++account  required   pam_permit.so
+ 
+ {% if HAVE_SELINUX %}
+-session  required pam_selinux.so close
+-session  required pam_selinux.so nottys open
++session  required   pam_selinux.so close
++session  required   pam_selinux.so nottys open
+ {% endif %}
+-session  required pam_loginuid.so
+-session  optional pam_keyinit.so force revoke
+-session  required pam_namespace.so
++session  required   pam_loginuid.so
++session  optional   pam_keyinit.so force revoke
++session  required   pam_namespace.so
+ {% if ENABLE_HOMED %}
+--session  optional pam_systemd_home.so
++-session optional   pam_systemd_home.so
+ {% endif %}
+-session  optional pam_systemd.so
++session  optional   pam_systemd.so
+-- 
+2.38.1
+
diff --git a/10-oomd-user-service-defaults.conf b/10-oomd-per-slice-defaults.conf
similarity index 86%
rename from 10-oomd-user-service-defaults.conf
rename to 10-oomd-per-slice-defaults.conf
index 94d5c87fe052c7860d6d4a065737f1aa8fdcad5a..fbf6f0040e97e615a3825fb4c6bb397ea5272547 100644
--- a/10-oomd-user-service-defaults.conf
+++ b/10-oomd-per-slice-defaults.conf
@@ -1,3 +1,3 @@
-[Service]
+[Slice]
 ManagedOOMMemoryPressure=kill
 ManagedOOMMemoryPressureLimit=50%
diff --git a/10-oomd-root-slice-defaults.conf b/10-oomd-root-slice-defaults.conf
deleted file mode 100644
index 49958e8e0d101487d18ad8575e4b4a575e9b0aac..0000000000000000000000000000000000000000
--- a/10-oomd-root-slice-defaults.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-[Slice]
-ManagedOOMSwap=kill
diff --git a/20-grubby.install b/20-grubby.install
deleted file mode 100755
index e059125be5a1fa1ffd5b289c417deda099af1d16..0000000000000000000000000000000000000000
--- a/20-grubby.install
+++ /dev/null
@@ -1,51 +0,0 @@
-#!/bin/bash
-
-if [[ ! -x /sbin/new-kernel-pkg ]]; then
-    exit 0
-fi
-
-COMMAND="$1"
-KERNEL_VERSION="$2"
-BOOT_DIR_ABS="$3"
-KERNEL_IMAGE="$4"
-
-KERNEL_DIR="${KERNEL_IMAGE%/*}"
-[[ "$KERNEL_VERSION" == *\+* ]] && flavor=-"${KERNEL_VERSION##*+}"
-case "$COMMAND" in
-    add)
-        if [[ "${KERNEL_DIR}" != "/boot" ]]; then
-            for i in \
-                "$KERNEL_IMAGE" \
-                    "$KERNEL_DIR"/System.map \
-                    "$KERNEL_DIR"/config \
-                    "$KERNEL_DIR"/zImage.stub \
-                    "$KERNEL_DIR"/dtb \
-                ; do
-                [[ -e "$i" ]] || continue
-                cp -aT "$i" "/boot/${i##*/}-${KERNEL_VERSION}"
-                command -v restorecon &>/dev/null && \
-                    restorecon -R "/boot/${i##*/}-${KERNEL_VERSION}"
-            done
-            # hmac is .vmlinuz-<version>.hmac so needs a special treatment
-            i="$KERNEL_DIR/.${KERNEL_IMAGE##*/}.hmac"
-            if [[ -e "$i" ]]; then
-                cp -a "$i" "/boot/.${KERNEL_IMAGE##*/}-${KERNEL_VERSION}.hmac"
-                command -v restorecon &>/dev/null && \
-                    restorecon "/boot/.${KERNEL_IMAGE##*/}-${KERNEL_VERSION}.hmac"
-            fi
-        fi
-        /sbin/new-kernel-pkg --package "kernel${flavor}" --install "$KERNEL_VERSION" || exit $?
-        /sbin/new-kernel-pkg --package "kernel${flavor}" --mkinitrd --dracut --depmod --update "$KERNEL_VERSION" || exit $?
-        /sbin/new-kernel-pkg --package "kernel${flavor}" --rpmposttrans "$KERNEL_VERSION" || exit $?
-        ;;
-    remove)
-        /sbin/new-kernel-pkg --package "kernel${flavor+-$flavor}" --rminitrd --rmmoddep --remove "$KERNEL_VERSION" || exit $?
-        ;;
-    *)
-        ;;
-esac
-
-# skip other installation plugins, if we can't find a boot loader spec conforming setup
-if ! [[ -d /boot/loader/entries || -L /boot/loader/entries ]]; then
-    exit 77
-fi
diff --git a/fedora-use-system-auth-in-pam-systemd-user.patch b/fedora-use-system-auth-in-pam-systemd-user.patch
new file mode 100644
index 0000000000000000000000000000000000000000..3b7c10d4ae2c2d75aeb0b31a41960639fac4b52a
--- /dev/null
+++ b/fedora-use-system-auth-in-pam-systemd-user.patch
@@ -0,0 +1,31 @@
+From 4e6479054ae2090b99a50d6ae954d22efc8340a0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 14 Dec 2022 22:24:53 +0100
+Subject: [PATCH 4/4] fedora: use system-auth in pam systemd-user
+
+---
+ src/login/systemd-user.in | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/login/systemd-user.in b/src/login/systemd-user.in
+index 9a665bd959..703a4b3174 100644
+--- a/src/login/systemd-user.in
++++ b/src/login/systemd-user.in
+@@ -7,7 +7,7 @@
+ -account sufficient pam_systemd_home.so
+ {% endif %}
+ account  sufficient pam_unix.so no_pass_expiry
+-account  required   pam_permit.so
++account  include    system-auth
+ 
+ {% if HAVE_SELINUX %}
+ session  required   pam_selinux.so close
+@@ -19,4 +19,4 @@ session  required   pam_namespace.so
+ {% if ENABLE_HOMED %}
+ -session optional   pam_systemd_home.so
+ {% endif %}
+-session  optional   pam_systemd.so
++session  include    system-auth
+-- 
+2.38.1
+
diff --git a/split-files.py b/split-files.py
index 9614c074e24136054fd69b9258356be4ad0f6b65..783a28483ed85f872875711563cb3a02a2e1863d 100644
--- a/split-files.py
+++ b/split-files.py
@@ -17,6 +17,7 @@ def files(root):
 
 o_libs = open('.file-list-libs', 'w')
 o_udev = open('.file-list-udev', 'w')
+o_boot = open('.file-list-boot', 'w')
 o_pam = open('.file-list-pam', 'w')
 o_rpm_macros = open('.file-list-rpm-macros', 'w')
 o_devel = open('.file-list-devel', 'w')
@@ -28,7 +29,7 @@ o_resolve = open('.file-list-resolve', 'w')
 o_tests = open('.file-list-tests', 'w')
 o_standalone_tmpfiles = open('.file-list-standalone-tmpfiles', 'w')
 o_standalone_sysusers = open('.file-list-standalone-sysusers', 'w')
-o_rest = open('.file-list-rest', 'w')
+o_main = open('.file-list-main', 'w')
 for file in files(buildroot):
     n = file.path[1:]
     if re.match(r'''/usr/(share|include)$|
@@ -58,7 +59,11 @@ for file in files(buildroot):
         o = o_rpm_macros
     elif '/usr/lib/systemd/tests' in n:
         o = o_tests
-    elif re.search(r'/lib.*\.pc|/man3/|/usr/include|(?<!/libsystemd-shared-...).so$', n):
+    elif re.search(r'/libsystemd-(shared|core)-.*\.so$', n):
+        o = o_main
+    elif re.search(r'/libcryptsetup-token-systemd-.*\.so$', n):
+        o = o_udev
+    elif re.search(r'/lib.*\.pc|/man3/|/usr/include|\.so$', n):
         o = o_devel
     elif re.search(r'''journal-(remote|gateway|upload)|
                        systemd-remote\.conf|
@@ -66,6 +71,7 @@ for file in files(buildroot):
                        /var/log/journal/remote
     ''', n, re.X):
         o = o_remote
+
     elif re.search(r'''mymachines|
                        machinectl|
                        systemd-nspawn|
@@ -77,12 +83,18 @@ for file in files(buildroot):
                        org.freedesktop.(import|machine)1
     ''', n, re.X):
         o = o_container
+
     elif re.search(r'''/usr/lib/systemd/network/80-|
                        networkd|
                        networkctl|
-                       org.freedesktop.network1
+                       org.freedesktop.network1|
+                       sysusers\.d/systemd-network.conf|
+                       tmpfiles\.d/systemd-network.conf|
+                       systemd\.network|
+                       systemd\.netdev
     ''', n, re.X):
         o = o_networkd
+
     elif '.so.' in n:
         o = o_libs
 
@@ -101,8 +113,8 @@ for file in files(buildroot):
                        modules-load|
                        timesync|
                        crypttab|
+                       cryptenroll|
                        cryptsetup|
-                       libcryptsetup-token-systemd|
                        kmod|
                        quota|
                        pstore|
@@ -118,8 +130,10 @@ for file in files(buildroot):
                        integritysetup|
                        integritytab|
                        remount-fs|
+                       /initrd|
+                       systemd-pcrphase|
+                       systemd-measure|
                        /boot$|
-                       /boot/efi|
                        /kernel/|
                        /kernel$|
                        /modprobe.d|
@@ -133,6 +147,9 @@ for file in files(buildroot):
                        # confused if those user-facing binaries are not available.
         o = o_udev
 
+    elif re.search(r'''/boot/efi''', n, re.X):
+        o = o_boot
+
     elif re.search(r'''resolved|resolve1|
                        systemd-resolve|
                        resolvconf|
@@ -152,7 +169,7 @@ for file in files(buildroot):
             assert False, 'Found .standalone not belonging to known packages'
 
     else:
-        o = o_rest
+        o = o_main
 
     if n in known_files:
         prefix = ' '.join(known_files[n].split()[:-1])
diff --git a/systemd-user b/systemd-user
deleted file mode 100644
index c4c427f2c31ece0193400d05b4c152bd7a794bed..0000000000000000000000000000000000000000
--- a/systemd-user
+++ /dev/null
@@ -1,11 +0,0 @@
-# This file is part of systemd.
-#
-# Used by systemd --user instances.
-
-account  include system-auth
-
-session  required pam_selinux.so close
-session  required pam_selinux.so nottys open
-session  required pam_loginuid.so
-session  required pam_namespace.so
-session  include system-auth
diff --git a/systemd.spec b/systemd.spec
index 3899f2bf4706eecf066d4f863b1eed3788d0f4e2..f57621afb47babc077bbe69ec2cb5f487ce6fc24 100644
--- a/systemd.spec
+++ b/systemd.spec
@@ -18,9 +18,12 @@
 # See README.build-in-place.
 %bcond_with    inplace
 
+%global have_gnu_efi 1
+%global have_bpf 1
+
 Name:           systemd
 Url:            https://www.freedesktop.org/wiki/Software/systemd
-Version:        250.4
+Version:        252.4
 Release:        %{anolis_release}%{?dist}
 License:        LGPLv2+ and MIT and GPLv2+
 Summary:        System and Service Manager
@@ -41,19 +44,29 @@ Source7:        systemd-journal-remote.xml
 Source8:        systemd-journal-gatewayd.xml
 Source9:        20-yama-ptrace.conf
 Source10:       systemd-udev-trigger-no-reload.conf
-Source11:       20-grubby.install
-Source12:       systemd-user
 Source13:       libsystemd-shared.abignore
 
 Source14:       10-oomd-defaults.conf
-Source15:       10-oomd-root-slice-defaults.conf
-Source16:       10-oomd-user-service-defaults.conf
+Source15:       10-oomd-per-slice-defaults.conf
 
 Source21:       macros.sysusers
 Source22:       sysusers.attr
 Source23:       sysusers.prov
 Source24:       sysusers.generate-pre.sh
 
+# Backports of patches from upstream (0000–0499)
+Patch0001:      0001-pam-align-second-and-third-columns.patch
+Patch0002:      0002-pam-add-a-call-to-pam_namespace.patch
+Patch0003:      0003-pam-actually-align-the-columns.patch
+
+# Those are downstream-only patches, but we don't want them in packit builds:
+# https://bugzilla.redhat.com/show_bug.cgi?id=1738828
+Patch0490:      use-bfq-scheduler.patch
+
+# Adjust upstream config to use our shared stack
+Patch0491:      fedora-use-system-auth-in-pam-systemd-user.patch
+ 
+
 BuildRequires:  gcc
 BuildRequires:  gcc-c++
 BuildRequires:  clang
@@ -85,18 +98,16 @@ BuildRequires:  libcurl-devel
 BuildRequires:  kmod-devel
 BuildRequires:  elfutils-devel
 BuildRequires:  openssl-devel
-BuildRequires:  libgcrypt-devel
-BuildRequires:  libgpg-error-devel
 BuildRequires:  gnutls-devel
 BuildRequires:  qrencode-devel
 BuildRequires:  libmicrohttpd-devel
 BuildRequires:  libxkbcommon-devel
 BuildRequires:  iptables-devel
+BuildRequires:  pkgconfig(libfido2)
 BuildRequires:  pkgconfig(tss2-esys)
 BuildRequires:  pkgconfig(tss2-rc)
 BuildRequires:  pkgconfig(tss2-mu)
 BuildRequires:  pkgconfig(libbpf)
-BuildRequires:  bpftool
 BuildRequires:  systemtap-sdt-devel
 BuildRequires:  libxslt
 BuildRequires:  docbook-style-xsl
@@ -108,7 +119,9 @@ BuildRequires:  hostname
 BuildRequires:  python3dist(lxml)
 BuildRequires:  python3dist(jinja2)
 BuildRequires:  firewalld-filesystem
+%if 0%{?have_gnu_efi}
 BuildRequires:  gnu-efi gnu-efi-devel
+%endif
 BuildRequires:  libseccomp-devel
 BuildRequires:  meson >= 0.43
 BuildRequires:  gettext
@@ -118,6 +131,12 @@ BuildRequires:  pkgconfig(bash-completion)
 BuildRequires:  perl
 BuildRequires:  perl(IPC::SysV)
 
+%if 0%{?have_bpf}
+BuildRequires:  bpftool
+%endif
+
+BuildRequires:  xen-devel
+
 Requires(post): coreutils
 Requires(post): grep
 # systemd-machine-id-setup requires libssl
@@ -130,7 +149,7 @@ Recommends:     %{name}-networkd = %{version}-%{release}
 Recommends:     %{name}-resolved = %{version}-%{release}
 Recommends:     diffutils
 Requires:       (util-linux-core or util-linux)
-Recommends:     libxkbcommon%{?_isa}
+Recommends:     libxkbcommon
 Provides:       /bin/systemctl
 Provides:       /sbin/shutdown
 Provides:       syslog
@@ -144,9 +163,11 @@ Conflicts:      initscripts < 9.56.1
 Obsoletes:      timedatex < 0.6-3
 Provides:       timedatex = 0.6-3
 Conflicts:      %{name}-standalone-tmpfiles < %{version}-%{release}^
-Obsoletes:      %{name}-standalone-tmpfiles < %{version}-%{release}^
 Conflicts:      %{name}-standalone-sysusers < %{version}-%{release}^
-Obsoletes:      %{name}-standalone-sysusers < %{version}-%{release}^
+Provides:       %{name}-tmpfiles = %{version}-%{release}
+Obsoletes:	%{name}-tmpfiles < %{version}-%{release}
+Provides:       %{name}-sysusers = %{version}-%{release}
+Obsoletes:      %{name}-tmpfiles < %{version}-%{release}
 
 # Recommends to replace normal Requires deps for stuff that is dlopen()ed
 Recommends:     libidn2.so.0%{?elf_suffix}
@@ -211,11 +232,10 @@ Just the definitions of rpm macros.
 %package devel
 Summary:        Development headers for systemd
 License:        LGPLv2+ and MIT
-Requires:       %{name}-libs%{?_isa} = %{version}-%{release}
+Requires:       %{name}-libs = %{version}-%{release}
 Provides:       libudev-devel = %{version}
 Provides:       libudev-devel%{_isa} = %{version}
 Obsoletes:      libudev-devel < 183
-Requires:       %{name}-pam = %{version}-%{release}
 
 %description devel
 Development headers and auxiliary files for developing applications linking
@@ -225,7 +245,7 @@ to libudev or libsystemd.
 Summary: Rule-based device node and kernel event manager
 License:        LGPLv2+
 
-Requires:       systemd%{?_isa} = %{version}-%{release}
+Requires:       systemd = %{version}-%{release}
 Requires(post):   systemd
 Requires(preun):  systemd
 Requires(postun): systemd
@@ -248,6 +268,7 @@ Recommends:     libelf.so.1%{?elf_suffix}
 Recommends:     libelf.so.1(ELFUTILS_1.7)%{?elf_bits}
 
 # used by home, cryptsetup, cryptenroll
+Recommends:     libfido2.so.1%{?elf_suffix}
 Recommends:     libtss2-esys.so.0%{?elf_suffix}
 Recommends:     libtss2-mu.so.0%{?elf_suffix}
 Recommends:     libtss2-rc.so.0%{?elf_suffix}
@@ -258,6 +279,9 @@ Requires:       kbd
 Provides:       u2f-hidraw-policy = 1.0.2-40
 Obsoletes:      u2f-hidraw-policy < 1.0.2-40
 
+# self-obsoletes to install both packages after split of systemd-boot
+Obsoletes:      systemd-udev < 252.2^
+
 %description udev
 This package contains systemd-udev and the rules and hardware database needed to
 manage device nodes. This package is necessary on physical machines and in
@@ -268,14 +292,33 @@ This package also provides systemd-timesyncd, a network time protocol daemon.
 It also contains tools to manage encrypted home areas and secrets bound to the
 machine, and to create or grow partitions and make file systems automatically.
 
+%if 0%{?have_gnu_efi}
+%package boot-unsigned
+Summary: UEFI boot manager (unsigned version)
+Provides: systemd-boot-unsigned-%{efi_arch} = %{version}-%{release}
+Provides: systemd-boot = %{version}-%{release}
+# self-obsoletes to install both packages after split of systemd-boot
+Obsoletes:      systemd-udev < 252.2^
+
+%description boot-unsigned
+systemd-boot (short: sd-boot) is a simple UEFI boot manager. It provides a
+graphical menu to select the entry to boot and an editor for the kernel command
+line. systemd-boot supports systems with UEFI firmware only.
+ 
+This package contains the unsigned version. Install systemd-boot instead to get
+the version that works with Secure Boot.
+%endif
+
 %package container
 # Name is the same as in Debian
 Summary: Tools for containers and VMs
-Requires:       %{name}%{?_isa} = %{version}-%{release}
+Requires:       %{name} = %{version}-%{release}
 Requires(post):   systemd
 Requires(preun):  systemd
 Requires(postun): systemd
 Obsoletes:      %{name} < 229-5
+# Bias the system towards libcurl-minimal if nothing pulls in full libcurl (#1997040)
+Suggests:       libcurl-minimal
 License:        LGPLv2+
 
 %description container
@@ -287,16 +330,13 @@ systemd-importd.
 %package journal-remote
 # Name is the same as in Debian
 Summary:        Tools to send journal events over the network
-Requires:       %{name}%{?_isa} = %{version}-%{release}
+Requires:       %{name} = %{version}-%{release}
 License:        LGPLv2+
-Requires(pre):    /usr/bin/getent
-Requires(post):   systemd
-Requires(preun):  systemd
-Requires(postun): systemd
 Requires:       firewalld-filesystem
 Provides:       %{name}-journal-gateway = %{version}-%{release}
-Provides:       %{name}-journal-gateway%{_isa} = %{version}-%{release}
 Obsoletes:      %{name}-journal-gateway < 227-7
+# Bias the system towards libcurl-minimal if nothing pulls in full libcurl (#1997040)
+Suggests:       libcurl-minimal
 
 %description journal-remote
 Programs to forward journal entries over the network, using encrypted HTTP, and
@@ -307,7 +347,7 @@ systemd-journal-upload.
 
 %package networkd
 Summary:        System daemon that manages network configurations
-Requires:       %{name}%{?_isa} = %{version}-%{release}
+Requires:       %{name} = %{version}-%{release}
 License:        LGPLv2+
 Obsoletes:      systemd < 246.6-2
 
@@ -318,7 +358,7 @@ devices.
 
 %package resolved
 Summary:        Network Name Resolution manager
-Requires:       %{name}%{?_isa} = %{version}-%{release}
+Requires:       %{name} = %{version}-%{release}
 Obsoletes:      %{name} < 249~~
 Requires:       libidn2.so.0%{?elf_suffix}
 Requires:       libidn2.so.0(IDN2_0.0.0)%{?elf_bits}
@@ -341,7 +381,7 @@ a userspace out-of-memory (OOM) killer.
 
 %package tests
 Summary:       Internal unit tests for systemd
-Requires:      %{name}%{?_isa} = %{version}-%{release}
+Requires:      %{name} = %{version}-%{release}
 License:       LGPLv2+
 
 %description tests
@@ -350,6 +390,8 @@ useful to test systemd internals.
 
 %package standalone-tmpfiles
 Summary:       Standalone tmpfiles binary for use in non-systemd systems
+Provides:      %{name}-tmpfiles = %{version}-%{release}
+Obsoletes:     %{name}-tmpfiles < %{version}-%{release}
 RemovePathPostfixes: .standalone
 
 %description standalone-tmpfiles
@@ -359,6 +401,8 @@ package and is meant for use in non-systemd systems.
 
 %package standalone-sysusers
 Summary:       Standalone sysusers binary for use in non-systemd systems
+Provides:      %{name}-sysusers = %{version}-%{release}
+Obsoletes:     %{name}-sysusers < %{version}-%{release}
 RemovePathPostfixes: .standalone
 
 %description standalone-sysusers
@@ -366,18 +410,23 @@ Standalone sysusers binary with no dependencies on the systemd-shared library or
 other libraries from systemd-libs. This package conflicts with the main systemd
 package and is meant for use in non-systemd systems.
 
+%package doc
+Summary:        Documentation files for %{name}
+Requires:       %{name} = %{version}-%{release}
+BuildArch:      noarch
+
+%description    doc
+The %{name}-doc package contains documentation files for %{name}.
+
 %prep
 %autosetup -n %{name}-stable-%{version} -p1
 
-test -f src/login/systemd-user.in
-cp %{SOURCE12} src/login/systemd-user.in
-
 %build
-%define ntpvendor %(source /etc/os-release; echo ${ID})
+%global ntpvendor %(source /etc/os-release; echo ${ID})
 %{!?ntpvendor: echo 'NTP vendor zone is not set!'; exit 1}
 
 CONFIGURE_OPTS=(
-        -Dmode=release
+         -Dmode=release
         -Dsysvinit-path=/etc/rc.d/init.d
         -Drc-local=/etc/rc.d/rc.local
         -Dntp-servers='0.%{ntpvendor}.pool.ntp.org 1.%{ntpvendor}.pool.ntp.org 2.%{ntpvendor}.pool.ntp.org 3.%{ntpvendor}.pool.ntp.org'
@@ -392,7 +441,7 @@ CONFIGURE_OPTS=(
         -Dseccomp=true
         -Dima=true
         -Dselinux=true
-        -Dbpf-framework=true
+        -Dbpf-framework=%[0%{?have_bpf}?"true":"false"]
         -Dapparmor=false
         -Dpolkit=true
         -Dxz=true
@@ -406,7 +455,7 @@ CONFIGURE_OPTS=(
         -Dopenssl=true
         -Dcryptolib=openssl
         -Dp11kit=true
-        -Dgcrypt=true
+        -Dgcrypt=false
         -Daudit=true
         -Delfutils=true
         -Dlibcryptsetup=%[%{with bootstrap}?"false":"true"]
@@ -418,15 +467,16 @@ CONFIGURE_OPTS=(
         -Dlibidn2=true
         -Dlibiptc=false
         -Dlibcurl=true
-        -Dlibfido2=false
+        -Dlibfido2=true
         -Defi=true
-        -Dgnu-efi="true"
+        -Dgnu-efi=%[%{?have_gnu_efi}?"true":"false"]
         -Dtpm=true
         -Dtpm2=true
         -Dhwdb=true
         -Dsysusers=true
         -Dstandalone-binaries=true
         -Ddefault-kill-user-processes=false
+        -Dfirst-boot-full-preset=true
         -Dtests=unsafe
         -Dinstall-tests=true
         -Dtty-gid=5
@@ -440,9 +490,10 @@ CONFIGURE_OPTS=(
         -Db_ndebug=false
         -Dman=true
         -Dversion-tag=v%{version}-%{release}
+	-Dshared-lib-tag=%{version}-%{release}
         -Dfallback-hostname=%[0%{?anolis}?"anolis":"localhost"]
         -Ddefault-dnssec=no
-        -Ddefault-dns-over-tls=opportunistic
+        -Ddefault-dns-over-tls=no
         -Ddefault-mdns=no
         -Ddefault-llmnr=resolve
         -Dstatus-unit-format-default=combined
@@ -565,26 +616,20 @@ install -Dm0644 %{SOURCE4} %{buildroot}/etc/dnf/protected.d/systemd.conf
 install -Dm0644 -t %{buildroot}/usr/lib/firewalld/services/ %{SOURCE7} %{SOURCE8}
 
 # Install additional docs
-install -Dm0644 -t %{buildroot}%{_pkgdocdir}/ %{SOURCE9}
+install -Dm0644 -t %{buildroot}%{_docdir}/%{name}-%{doc} %{SOURCE9}
+rm -rf %{buildroot}%{_docdir}/%{name}
 
 install -Dm0644 -t %{buildroot}%{system_unit_dir}/systemd-udev-trigger.service.d/ %{SOURCE10}
 
-mkdir -p %{buildroot}%{system_unit_dir}/systemd-hostnamed.service.d/
-cat >%{buildroot}%{system_unit_dir}/systemd-hostnamed.service.d/disable-privatedevices.conf <<EOF
-[Service]
-PrivateDevices=no
-EOF
-
-install -Dm0755 -t %{buildroot}%{_prefix}/lib/kernel/install.d/ %{SOURCE11}
-
 install -Dm0644 -t %{buildroot}%{_prefix}/lib/systemd/ %{SOURCE13}
 
 install -D -t %{buildroot}/usr/lib/systemd/ %{SOURCE3}
 
 # systemd-oomd default configuration
 install -Dm0644 -t %{buildroot}%{_prefix}/lib/systemd/oomd.conf.d/ %{SOURCE14}
-install -Dm0644 -t %{buildroot}%{system_unit_dir}/-.slice.d/ %{SOURCE15}
-install -Dm0644 -t %{buildroot}%{system_unit_dir}/user@.service.d/ %{SOURCE16}
+install -Dm0644 -t %{buildroot}%{system_unit_dir}/user-.slice.d/ %{SOURCE15}
+install -Dm0644 -t %{buildroot}%{system_unit_dir}/system.slice.d/ %{SOURCE15}
+install -Dm0644 -t %{buildroot}%{user_unit_dir}/slice.d/ %{SOURCE15}
 
 sed -i 's|#!/usr/bin/env python3|#!%{__python3}|' %{buildroot}/usr/lib/systemd/tests/run-unit-tests.py
 
@@ -600,7 +645,7 @@ install -m 0755 -D -t %{buildroot}%{_rpmconfigdir}/ %{SOURCE24}
 # here.
 python3 %{SOURCE2} %buildroot <<EOF
 %ghost %config(noreplace) /etc/crypttab
-%ghost /etc/udev/hwdb.bin
+%ghost %attr(0444,root,root) /etc/udev/hwdb.bin
 /etc/inittab
 /usr/lib/systemd/purge-nobody-user
 %ghost %config(noreplace) /etc/vconsole.conf
@@ -626,7 +671,7 @@ python3 %{SOURCE2} %buildroot <<EOF
 %ghost %dir /var/lib/systemd/coredump
 %ghost /var/lib/systemd/journal-upload
 %ghost %dir /var/lib/systemd/linger
-%ghost /var/lib/systemd/random-seed
+%ghost %attr(0600,root,root) /var/lib/systemd/random-seed
 %ghost %dir /var/lib/systemd/rfkill
 %ghost %dir %verify(not mode group) /var/log/journal
 %ghost %dir /var/log/journal/remote
@@ -700,7 +745,7 @@ fi
 %triggerpostun -- systemd < 247.3-2
 systemctl --no-reload preset systemd-oomd.service &>/dev/null || :
 
-%global udev_services systemd-udev{d,-settle,-trigger}.service systemd-udevd-{control,kernel}.socket systemd-timesyncd.service systemd-boot-update.service
+%global udev_services systemd-udev{d,-settle,-trigger}.service systemd-udevd-{control,kernel}.socket systemd-timesyncd.service %{?have_gnu_efi:systemd-boot-update.service}
 
 %post udev
 # Move old stuff around in /var/lib
@@ -779,7 +824,9 @@ if [ $1 -eq 0 ] ; then
 fi
 
 %post resolved
-[ $1 -gt 1 ] && exit 0
+[ $1 -eq 1 ] || exit 0
+
+touch %{_localstatedir}/lib/rpm-state/systemd-resolved.initial-installation
 
 if ls /usr/lib/systemd/libsystemd-shared-24[0-8].so &>/dev/null; then
     echo "Skipping presets for systemd-resolved.service, seems we are upgrading from old systemd."
@@ -789,6 +836,10 @@ fi
 %systemd_post systemd-resolved.service
 
 %posttrans resolved
+[ -e %{_localstatedir}/lib/rpm-state/systemd-resolved.initial-installation ] || exit 0
+rm %{_localstatedir}/lib/rpm-state/systemd-resolved.initial-installation
+# Initial installation
+
 # Create /etc/resolv.conf symlink.
 if systemctl -q is-enabled systemd-resolved.service &>/dev/null &&
    ! systemd-analyze cat-config systemd/resolved.conf 2>/dev/null |
@@ -802,11 +853,7 @@ if systemctl -q is-enabled systemd-resolved.service &>/dev/null &&
   fi
 fi
 
-%global _docdir_fmt %{name}
-
-%files -f %{name}.lang -f .file-list-rest
-%doc %{_pkgdocdir}
-%exclude %{_pkgdocdir}/LICENSE*
+%files -f %{name}.lang -f .file-list-main
 # Only the licenses texts for the licenses in License line are included.
 %license LICENSE.GPL2 LICENSE.LGPL2.1
 %license LICENSES/MIT.txt
@@ -841,6 +888,10 @@ fi
 
 %files udev -f .file-list-udev
 
+%if 0%{?have_gnu_efi}
+%files boot-unsigned -f .file-list-boot
+%endif
+
 %files container -f .file-list-container
 %ghost %dir %attr(0700,-,-) /var/lib/machines
 
@@ -856,7 +907,19 @@ fi
 
 %files standalone-sysusers -f .file-list-standalone-sysusers
 
+%files doc
+%doc NEWS README README.md TODO
+%doc docs/UIDS-GIDS.md
+%doc docs/CONTRIBUTING.md docs/RELEASE.md
+%doc docs/TRANSIENT-SETTINGS.md docs/TRANSLATORS.md
+%doc docs/ENVIRONMENT.md docs/CODING_STYLE.md
+%doc docs/DISTRO_PORTING.md docs/HACKING.md
+%{_docdir}/%{name}-%{doc}/20-yama-ptrace.conf
+
 %changelog
+* Thu Jan 05 2023 happy_orange <songnannan@linux.alibaba.com> - 252.4-1
+- update to 252.4
+
 * Fri Mar 25 2022 Chunmei Xu <xuchunmei@linux.alibaba.com> - 250.4-1
 - update to 250.4 from stable repo
 
diff --git a/sysusers.generate-pre.sh b/sysusers.generate-pre.sh
index fd9938d72d89f142cb876a50318a9a9a5c0a2052..a077bb72243fc09c57d95fb935e39d02937bcca2 100755
--- a/sysusers.generate-pre.sh
+++ b/sysusers.generate-pre.sh
@@ -1,79 +1,96 @@
 #!/bin/bash
+# -*- mode: shell-script; indent-tabs-mode: true; tab-width: 4; -*-
 
 # This script turns sysuser.d files into scriptlets mandated by Fedora
 # packaging guidelines. The general idea is to define users using the
 # declarative syntax but to turn this into traditional scriptlets.
 
 user() {
-    user="$1"
-    uid="$2"
-    desc="$3"
-    group="$4"
-    home="$5"
-    shell="$6"
+	user="$1"
+	uid="$2"
+	desc="$3"
+	group="$4"
+	home="$5"
+	shell="$6"
 
-    [ "$desc" = '-' ] && desc=
-    { [ "$home" = '-' ] || [ "$home" = '' ]; } && home=/
-    { [ "$shell" = '-' ] || [ "$shell" = '' ]; } && shell=/sbin/nologin
+	[ "$desc" = '-' ] && desc=
+	{ [ "$home" = '-' ] || [ "$home" = '' ]; } && home=/
+	{ [ "$shell" = '-' ] || [ "$shell" = '' ]; } && shell=/usr/sbin/nologin
 
-    if [ "$uid" = '-' ] || [ "$uid" = '' ]; then
-        cat <<EOF
-getent passwd '$user' >/dev/null || \\
-    useradd -r -g '$group' -d '$home' -s '$shell' -c '$desc' '$user'
-EOF
-    else
-        cat <<EOF
-if ! getent passwd '$user' >/dev/null ; then
-    if ! getent passwd '$uid' >/dev/null ; then
-        useradd -r -u '$uid' -g '$group' -d '$home' -s /sbin/nologin -c '$desc' '$user'
-    else
-        useradd -r -g '$group' -d '$home' -s /sbin/nologin -c '$desc' '$user'
-    fi
-fi
+	if [ "$uid" = '-' ] || [ "$uid" = '' ]; then
+		cat <<-EOF
+		getent passwd '$user' >/dev/null || \\
+			useradd -r -g '$group' -d '$home' -s '$shell' -c '$desc' '$user' || :
+		EOF
+	else
+		cat <<-EOF
+		if ! getent passwd '$user' >/dev/null; then
+			if ! getent passwd '$uid' >/dev/null; then
+			useradd -r -u '$uid' -g '$group' -d '$home' -s '$shell' -c '$desc' '$user' || :
+			else
+			useradd -r -g '$group' -d '$home' -s '$shell' -c '$desc' '$user' || :
+			fi
+		fi
 
-EOF
-    fi
+		EOF
+	fi
 }
 
 group() {
-    group="$1"
-    gid="$2"
-    if [ "$gid" = '-' ]; then
-        cat <<-EOF
-	getent group '$group' >/dev/null || groupadd -r '$group'
-	EOF
-    else
-        cat <<-EOF
-	getent group '$group' >/dev/null || groupadd -f -g '$gid' -r '$group'
+	group="$1"
+	gid="$2"
+
+	if [ "$gid" = '-' ]; then
+		cat <<-EOF
+		getent group '$group' >/dev/null || groupadd -r '$group' || :
+		EOF
+	else
+		cat <<-EOF
+		getent group '$group' >/dev/null || groupadd -f -g '$gid' -r '$group' || :
+		EOF
+	fi
+}
+
+usermod() {
+	user="$1"
+	group="$2"
+
+	cat <<-EOF
+	if getent group '$group' >/dev/null; then
+		usermod -a -G '$group' '$user' || :
+	fi
 	EOF
-    fi
 }
 
 parse() {
-    while read -r line || [ -n "$line" ] ; do
-        { [ "${line:0:1}" = '#' ] || [ "${line:0:1}" = ';' ]; } && continue
-        line="${line## *}"
-        [ -z "$line" ] && continue
-        eval "arr=( $line )"
-        case "${arr[0]}" in
-            ('u')
-                group "${arr[1]}" "${arr[2]}"
-                user "${arr[1]}" "${arr[2]}" "${arr[3]}" "${arr[1]}" "${arr[4]}" "${arr[5]}"
-                # TODO: user:group support
-                ;;
-            ('g')
-                group "${arr[1]}" "${arr[2]}"
-                ;;
-            ('m')
-                group "${arr[2]}" "-"
-                user "${arr[1]}" "-" "" "${arr[2]}"
-                ;;
-        esac
-    done
+	while read -r line || [ -n "$line" ] ; do
+		{ [ "${line:0:1}" = '#' ] || [ "${line:0:1}" = ';' ]; } && continue
+		line="${line## *}"
+		[ -z "$line" ] && continue
+		eval "arr=( $line )"
+		case "${arr[0]}" in
+			('u')
+				if [[ "${arr[2]}" == *":"* ]]; then
+					user "${arr[1]}" "${arr[2]%:*}" "${arr[3]}" "${arr[2]#*:}" "${arr[4]}" "${arr[5]}"
+				else
+					group "${arr[1]}" "${arr[2]}"
+					user "${arr[1]}" "${arr[2]}" "${arr[3]}" "${arr[1]}" "${arr[4]}" "${arr[5]}"
+				fi
+				;;
+			('g')
+				group "${arr[1]}" "${arr[2]}"
+				;;
+			('m')
+				group "${arr[2]}" "-"
+				user "${arr[1]}" "-" "" "${arr[1]}" "" ""
+				usermod "${arr[1]}" "${arr[2]}"
+				;;
+		esac
+	done
 }
 
 for fn in "$@"; do
-    [ -e "$fn" ] || continue
-    echo "# generated from $(basename "$fn")"
-    parse <"$fn"
+	[ -e "$fn" ] || continue
+	echo "# generated from $(basename "$fn")"
+	parse <"$fn"
 done
diff --git a/triggers.systemd b/triggers.systemd
index 592903523ed926deb10a08209cd58fc82ea26cbf..719789b3fd1d5b80e22bb67e73e481927a8af816 100644
--- a/triggers.systemd
+++ b/triggers.systemd
@@ -55,23 +55,17 @@ fi
 # This script will process files installed in /usr/lib/sysusers.d to create
 # specified users automatically. The priority is set such that it
 # will run before the tmpfiles file trigger.
-if test -d "/run/systemd/system"; then
-  systemd-sysusers || :
-fi
+systemd-sysusers || :
 
 %transfiletriggerin -P 1000700 udev -- /usr/lib/udev/hwdb.d
 # This script will automatically invoke hwdb update if files have been
 # installed or updated in /usr/lib/udev/hwdb.d.
-if test -d "/run/systemd/system"; then
-  systemd-hwdb update || :
-fi
+systemd-hwdb update || :
 
 %transfiletriggerin -P 1000700 -- /usr/lib/systemd/catalog
 # This script will automatically invoke journal catalog update if files
 # have been installed or updated in /usr/lib/systemd/catalog.
-if test -d "/run/systemd/system"; then
-  journalctl --update-catalog || :
-fi
+journalctl --update-catalog || :
 
 %transfiletriggerin -P 1000700 -- /usr/lib/binfmt.d
 # This script will automatically apply binfmt rules if files have been
diff --git a/use-bfq-scheduler.patch b/use-bfq-scheduler.patch
new file mode 100644
index 0000000000000000000000000000000000000000..59e642a1a70d0cd852e27d5f4b562de03da37575
--- /dev/null
+++ b/use-bfq-scheduler.patch
@@ -0,0 +1,43 @@
+From 1990fb757f6d275d807fcb48ad09f5fc7c947bc6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
+Date: Wed, 14 Aug 2019 15:57:42 +0200
+Subject: [PATCH] udev: use bfq as the default scheduler
+
+As requested in https://bugzilla.redhat.com/show_bug.cgi?id=1738828.
+Test results are that bfq seems to behave better and more consistently on
+typical hardware. The kernel does not have a configuration option to set
+the default scheduler, and it currently needs to be set by userspace.
+
+See the bug for more discussion and links.
+---
+ rules.d/60-block-scheduler.rules | 5 +++++
+ rules.d/meson.build              | 1 +
+ 2 files changed, 6 insertions(+)
+ create mode 100644 rules.d/60-block-scheduler.rules
+
+diff --git a/rules.d/60-block-scheduler.rules b/rules.d/60-block-scheduler.rules
+new file mode 100644
+index 0000000000..850b64540e
+--- /dev/null
++++ b/rules.d/60-block-scheduler.rules
+@@ -0,0 +1,5 @@
++# do not edit this file, it will be overwritten on update
++
++ACTION=="add", SUBSYSTEM=="block", ENV{DEVTYPE}=="disk", \
++  KERNEL=="mmcblk*[0-9]|msblk*[0-9]|mspblk*[0-9]|sd*[!0-9]|sr*", \
++  ATTR{queue/scheduler}="bfq"
+diff --git a/rules.d/meson.build b/rules.d/meson.build
+index 8d2878a36d..a3b395c9ce 100644
+--- a/rules.d/meson.build
++++ b/rules.d/meson.build
+@@ -8,6 +8,7 @@ rules = [
+         [files('60-autosuspend.rules',
+                '60-block.rules',
+                '60-cdrom_id.rules',
++               '60-block-scheduler.rules',
+                '60-drm.rules',
+                '60-evdev.rules',
+                '60-fido-id.rules',
+-- 
+2.37.2
+
diff --git a/v250.4.tar.gz b/v252.4.tar.gz
similarity index 56%
rename from v250.4.tar.gz
rename to v252.4.tar.gz
index 3149d2994d497478f6caedcc7d5de0035c274c71..1b1112807e47247ccb442ade741bd1ba4373a835 100644
Binary files a/v250.4.tar.gz and b/v252.4.tar.gz differ